it('should not serve JWT for invalid password', function() {
    return frisby
      .post(host + '/api/auth/token', {
        username: 'admin',
        password: 'h4x0r',